Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (SOC Automation Engineer).
Top stories – 16 February 2024
- New critical Microsoft Outlook RCE bug is trivial to exploit
- Hackers used new Windows Defender zero-day to drop DarkMe malware
- Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks
- PikaBot Resurfaces with Streamlined Code and Deceptive Tactics
- 200,000 Facebook Marketplace user records leaked on hacking forum
New critical Microsoft Outlook RCE bug is trivial to exploit
Key takeaways:
- Microsoft warns of a critical vulnerability in Outlook (CVE-2024-21413), enabling remote code execution by attackers.
- Check Point discovers flaw allowing bypass of Office Protected View, granting access to malicious files in Outlook 2016 and Office 2019.
- Attackers exploit flaw remotely, potentially leading to NTLM credential theft and arbitrary code execution. Immediate patching recommended due to active exploitation.
The details:
Microsoft warned of a critical Outlook vulnerability, CVE-2024-21413, allowing remote unauthenticated attackers to exploit it easily, resulting in remote code execution (RCE). Discovered by Check Point, the flaw lets attackers bypass Office Protected View, accessing and editing malicious Office files. The vulnerability affects various Microsoft Office products, including Outlook 2016 and Office 2019.
Attackers can exploit it remotely without user interaction, potentially gaining high privileges. Check Point’s report outlines how attackers can exploit the flaw by adding an exclamation mark to URLs in malicious emails, bypassing Outlook’s security restrictions. The flaw stems from the MkParseDisplayName API, potentially impacting other software. Successful attacks could lead to NTLM credential theft and arbitrary code execution. Check Point advises applying official patches promptly, as the vulnerability was actively exploited as a zero-day before a recent patch update. Microsoft retracted initial statements about active exploitation.
Article link: https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/
Hackers used new Windows Defender zero-day to drop DarkMe malware
Key takeaways:
- Microsoft patches zero-day (CVE-2024-21412) exploited by Water Hydra and DarkCasino for DarkMe trojan distribution via Windows Defender SmartScreen bypass.
- Water Hydra targets forex traders using spearphishing with malicious stock charts, leveraging English and Russian messages on trading platforms.
- Trend Micro highlights the flaw’s bypass of another SmartScreen vulnerability (CVE-2023-36025) and Microsoft’s additional patching of CVE-2024-21351, allowing code injection.
The details:
Microsoft has addressed a zero-day vulnerability, CVE-2024-21412, in Windows Defender SmartScreen, exploited by the Water Hydra and DarkCasino threat group to distribute the DarkMe remote access trojan. This flaw allows attackers to bypass security checks by convincing users to click on specially crafted files. Trend Micro’s Peter Girnus disclosed that CVE-2024-21412 bypasses another SmartScreen vulnerability, CVE-2023-36025, used previously to deploy the Phemedrone malware.
Water Hydra targeted forex traders with spearphishing attacks, luring victims with malicious stock charts linked to compromised websites. Their tactics include posting messages in English and Russian on trading forums and Telegram channels. This campaign aimed at data theft or ransomware deployment. The attackers have a history of exploiting zero-day vulnerabilities, like CVE-2023-38831 in WinRAR. Today, Microsoft also patched CVE-2024-21351, another SmartScreen zero-day allowing code injection.
Article link: https://www.bleepingcomputer.com/news/security/hackers-used-new-windows-defender-zero-day-to-drop-darkme-malware/
Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks
Key takeaways:
- GoldFactory, a Chinese cybercrime group, created sophisticated banking trojans like GoldPickaxe targeting Asia-Pacific.
- They use social engineering to distribute malware through smishing and phishing.
- Users should avoid suspicious links, apps, and review permissions to stay safe.
The details:
A Chinese-speaking cybercrime group named GoldFactory is behind the development of sophisticated banking trojans, including the newly discovered iOS malware GoldPickaxe, capable of harvesting personal data and intercepting SMS. GoldFactory, linked to Gigabud, targets the Asia-Pacific region, particularly Thailand and Vietnam, using social engineering to distribute malware via smishing and phishing.
GoldPickaxe for iOS exploits Apple’s TestFlight platform, while the Android version poses as various applications to steal login credentials. GoldPickaxe even employs deepfake technology to bypass facial recognition measures. GoldDigger, an Android trojan related to GoldPickaxe, targets Vietnamese financial apps. GoldFactory’s tactics include impersonation, keylogging, and fake websites.
To protect against such threats, users are advised to avoid suspicious links and untrusted apps and review app permissions regularly.
PikaBot Resurfaces with Streamlined Code and Deceptive Tactics
Key takeaways:
- Developers have simplified PikaBot malware, making it less complex but still threatening.
- It infiltrates networks via phishing, with recent versions employing simpler encryption methods.
- Additionally, there’s an ongoing campaign targeting Microsoft Azure, compromising user accounts through personalized phishing tactics.
The details:
The PikaBot malware, previously known for its complexity, has undergone significant simplification, described as “devolution,” by its developers. Zscaler’s analysis reveals version 1.18.32, which has reduced complexity by removing advanced obfuscation techniques and altering network communications.
PikaBot, a loader and backdoor, targets networks via phishing, with recent versions simplifying encryption algorithms and storing bot configuration in plaintext. Despite these changes, it remains a significant cyber threat, capable of executing commands and injecting payloads from a command-and-control server.
Additionally, Proofpoint has warned of an ongoing cloud account takeover campaign targeting Microsoft Azure environments, compromising hundreds of user accounts through individualized phishing lures and malicious links for credential harvesting and financial fraud.
Article link: https://thehackernews.com/2024/02/pikabot-resurfaces-with-streamlined.html
200,000 Facebook Marketplace user records leaked on hacking forum
Key takeaways:
- IntelBroker leaked 200,000 records of Facebook Marketplace users’ personal data from a Meta contractor’s breach.
- The leaked info, verified by BleepingComputer, includes names, phone numbers, emails, and Facebook IDs.
- This adds to Meta’s history of breaches, including a €265 million fine in 2022 for failing to protect user data after a 533 million account leak in 2021.
The details:
A threat actor known as IntelBroker leaked 200,000 records on a hacker forum, purportedly containing personal information of Facebook Marketplace users, acquired through a breach of a Meta contractor’s systems.
The leaked data includes names, phone numbers, email addresses, Facebook IDs, and profile information. BleepingComputer verified the authenticity of the leak. The exposed information can be used for phishing and mobile phishing attacks, as well as SIM swap attacks to hijack accounts. IntelBroker has been linked to previous breaches, including DC Health Link, Hewlett Packard Enterprise, General Electric Aviation, and Weee! grocery service.
This incident adds to Meta’s history of data breaches, with a €265 million fine in November 2022 for failing to protect user data after a 533 million Facebook account data leak in April 2021, which included phone numbers and other personal details.
Article link: https://www.bleepingcomputer.com/news/security/200-000-facebook-marketplace-user-records-leaked-on-hacking-forum/
Thanks for reading, stay tuned for next week’s cybersecurity round up!
Subscribe to Critical Chatter on LinkedIn so you never miss an update.
